IDMerit data breach: 1 billion records of personal data exposed in KYC data leak
An unprotected database owned by IDMerit and likely containing know-your-customer (KYC) data has spilled vast amounts of personal records across multiple countries, including the USA, Germany, France, China, Brazil, and many more.
-
An unsecured database linked to IDMerit exposed one billion personal records across 26 countries.
-
Leaked data includes national IDs, full names, addresses, phone numbers, and potential telecom metadata.
-
The United States was the most affected nation with over 203 million personal records exposed.
-
Mexico, the Philippines, and European nations like Germany also had millions of exposed records.
Your identity is the currency of the digital age, and a service responsible for keeping it safe left the the doors wide open. In a catastrophic security failure, an AI-powered tool used by IDMerit, a global leader in digital identity verification, has exposed a staggering one billion personal records.
In the United States alone, 204 million records were left unprotected.
The leaked details include a treasure trove of personally identifiable information (PII), including full names and addresses, as well as national identification documents and phone numbers. The exposed MongoDB instance contained several databases, covering individuals from 26 countries, making the data leak truly global.
IDMerit’s statement regarding the data leak
After we published this article, IDMerit reached out to Cybernews, saying that while the company owns and operates its own proprietary platform, IDMerit does not own, control, or store customer data or the underlying data maintained by independent data sources.
Moreover, IDMerit acknowledges that it was contacted by an ethical hacker, a freelance contributor to Cybernews. The contributor informed the company that “certain data ports associated with independent data sources could have been open, which had the potential to expose certain databases.“
“Upon receiving this notification, we immediately conducted a comprehensive review of our software, security controls, configurations, and system logs. That review identified no exposure, vulnerability, or unauthorized access within the IDMERIT environment. IDMERIT’s systems and security infrastructure have never been compromised,” IDMerit’s spokesperson explained.
The company claims to have notified relevant data source partners and worked with them to assess the matter.
According to IDMerit’s spokesperson, the partners “conducted their own internal investigations and confirmed that there has never been a data breach or exfiltration from their systems during, before, or after this event.”
“We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident,” the company’s spokesperson explained.
IDMerit claims that an internal review and information from its partners revealed that there is “no indication that any customer data has been compromised.”
“We continue to maintain robust security safeguards on our systems and are taking these accusations very seriously as we continue to investigate this matter in coordination with our partners,” the spokesperson said.
Editor’s note: The researcher who provided information about the leak is a freelance contributor working with Cybernews. However, until February 26th, Cybernews was unaware of any communication between IDMerit and the researcher regarding remuneration for the findings.
The Cybernews editorial team adheres to the highest ethical standards. Our mission is solely to educate and safeguard consumers worldwide from security risks. We do not sell or resell exploit fixes to affected companies.
Instead, we notify vendors of their vulnerabilities and collaborate with them to resolve these issues without receiving any payment. We aim to make online experiences safer for everyday users, which motivates us to research and craft the best possible solutions.
Having said that, our in-house researchers did review the technical summary and confirmed that the contributor's findings were legitimate.
What personal data was leaked?
Because IDMerit is an AI-powered KYC (Know Your Customer) provider, the data it collects is incredibly sensitive. The unsecured 1-terabyte database didn't just leak passwords—it leaked the core personal identifiers used for your financial and digital life. The following structured data was left open for anyone to download:
- Full names
- Addresses
- Post codes
- Dates of birth
- National IDs
- Phone numbers
- Genders
- Email addresses
- Telco metadata
- Breach status and social profile annotations
The last data point – breach status and social profile annotations – could refer to a database identifier indicating whether the data originated from a data breach or a leaked database. However, at this point, the true meaning of the data point is unclear. The team noted that this specific data point was present only in some regions.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,” our team explained.
Who is IDMerit and how did this happen?
Our team believes the exposed database belongs to IDMerit, an AI-powered digital identity verification solutions provider. The company serves the fintech and financial services sectors, helping businesses with real-time verification tools. KYC (Know Your Customer) practices are a global norm for users to verify their identities when setting up various accounts.
Our researchers noticed the exposed instance on November 11th, 2025 and immediately contacted the company, which promptly secured the database. While there is no current evidence of malicious misuse, automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear.
Global data leak spans multiple countries
What’s most striking about the IDMerit data leak is its scale and global geography, with three billion records spanning over 20 countries. Several databases appeared to contain overlapping slices for the same country. However, our team believes most of the records were unique.
The country with the most exposed records was the United States, having over 203 million records leaked. The US was followed by Mexico (124M) and the Philippines (72M). Behind the first three, we see a trio of European nations: Germany (61M), Italy (53M), and France (53M).
Of the 3 billion exposed records, 1 billion are attributed to various countries and are likely to reveal sensitive data. Another 2 billion are likely various database logs, which are likely less sensitive.
“From an attacker's point of view, the database includes high-risk identifiers: multiple regions include national IDs, full dates of birth, and contact data, which are prime ingredients for identity theft, SIM-swapping, and social-engineering attacks,” our researchers said.
Moreover, threat actors love properly structured data, as it enables them to easily automate large-scale campaigns. The dedication to data structuring is so strong that attackers spend months compiling far less threatening details, only to share on data leak forums for clout.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,”
our team said.
Researchers also note that the types of exposed data differ across regions, creating distinct risks for each region. For example, Brazil's “prefill” records include social-profile and “databreachesinfo” flags, which could enable targeted fraud.
Meanwhile, several countries had “idmtelco” collections, hinting at phone-centric enrichment and a possible link to telecom datasets, putting exposed individuals at an increased risk of SIM swapping, a type of fraud where a criminal takes control of your mobile number.
Why this leak is different
Unlike old-school leaks of just emails, this database is structured. This allows hackers to use their own AI tools to:
- Execute SIM Swaps. Using your National ID and Telco Metadata to hijack your phone number and intercept security codes.
- Launch Targeted Phishing. Scammers can use your actual home address and ID number to craft highly convincing fraudulent messages.
- Bypass Identity Checks. Since this data was collected for KYC purposes, criminals can attempt to use it to impersonate victims on other financial platforms.
3 Essential steps to protect yourself now
- Freeze Your Credit: Contact credit bureaus immediately to lock your reports. This is the most effective way to prevent unauthorized loans from being opened in your name using your leaked personal data.
- Update Your 2-Factor Authentication: Move away from SMS-based security. Switch to an authenticator app (like Google Authenticator) or a physical hardware key (YubiKey).
- Verify All "Official" Contact: If you receive a call from a bank or government agency referencing your ID number or address, hang up. Locate the official number independently and call them back to verify the claim.
Leaking billions of records’ becoming routine
Last week, we published our team's findings about an exposed Elasticsearch cluster that contained over 160 indices and held 8.7 billion primarily Chinese records, ranging from national citizen ID numbers to various business records.
Last December, the team uncovered an unprotected database containing 4.3 billion records, some of which included LinkedIn-derived personal information. The 16TB-strong instance contained emails, photos, employment histories, and other personal data. A single collection alone contained 732 million records, including photographs.
In July, Cybernews covered one of the largest data leaks in history, after researchers discovered several collections of login credentials, containing 16 billion records. The team found 30 exposed datasets, each containing tens of millions to more than 3.5 billion records.
The leaked data included login info for just about every online service, including Apple, Facebook, Google, GitHub, Telegram, and even government platforms.
What is the IDMerit data leak and who was affected?
The Cybernews research team discovered an exposed MongoDB database containing nearly 1 terabyte of personally identifiable information (PII) exposing approximately a billion sensitive records across 26 countries.
What personal data was exposed in the IDMerit leak?
The leaked database contained sensitive KYC verification data, including full names, addresses, dates of birth, national ID numbers, phone numbers, email addresses, and postal codes.
Why is a KYC data leak so dangerous?
KYC databases are critical infrastructure for the digital economy. When exposed, they enable attackers to commit identity theft, credit fraud, SIM swapping (taking over mobile phone numbers), and targeted phishing campaigns.
How long was the database exposed online?
The Cybernews team discovered the exposed MongoDB instance on November 11th, 2025 and immediately notified IDMerit. The company secured the database by November 12th.
- Leak discovered: November 11th, 2025
- Initial disclosure: November 12th, 2025
- Leak closed: November 12th, 2025
Updated on February 26th [02:30 p.m. GMT] with a statement from IDMerit.
Unlock exclusive Cybernews content on YouTube.
